Hi @cb999,
Yes, both these security settings within a virtual switch controls how the system handles traffic with potentially manipulated source MAC addresses, "Forged Transmits" focuses on outgoing traffic from a virtual machine, while "MAC Address Changes" monitors incoming traffic to the VM.
When the Mac address changes option is set to Reject, ESXi does not honor requests to change the effective MAC address to a different address than the initial MAC address.
To protect against MAC impersonation, you can set the Forged transmits option to Reject. If you do, the host compares the source MAC address being transmitted by the guest operating system with the effective MAC address for its virtual machine adapter to see if they match. If the addresses do not match, the ESXi host drops the packet.
------------------------------
If you find this answer right, please 'Recommend' this post.
Thank you!
Regards,
Shen
------------------------------
Original Message:
Sent: Dec 07, 2024 08:14 PM
From: cb999
Subject: Impact of changing MAC address changes & Forged transmits in port groups
Hi,
I'd like to secure my vSwitch port groups by changing these two values from Accept to Reject. Is there a way to find out whether any VMs attached to the port groups use a different MAC address from the one assigned originally (in such case, my understanding is Forged Transmits will drop the traffic from these VMs)?
Thanks.